Cannot get Syslog input into a stream

Hi There.

Stupid issue on my part I’m sure but I’m stumped. I have a couple of FreeNAS/TrueNAS boxes set up as inputs. When I select Show received messages I can see the syslog messages coming in. (TrueNAS uses syslog-ng)

I created a stream with the most basic rule I could think of to try to get the TrueNAS syslog events coming in.

source must match input FreeNASUDP

When I view the messages directly on the Input It shows me that the message is being routed to the appropriate stream. Testing the rules manually also shows a success, but when I go to view the stream, it is always empty, and shows no messaged coming in or out.

I have no clue what I am missing here.

Is there a better solution for capturing FreeNAS/TrueNAS logs? Am I missing extractors?

I was able to set up streams from our Windows systems using winlogbeats without an issue.

Any advice appreciated.

Thanks

Hello && Welcome

I just did a mockup on your statement. I unfortunately do not have any issues.

Example:
INPUT created for Security devices.
Created a stream called Test.

Title: test
Description: testing
Index set: Default index set

I left the box unchecked for Remove matches from " All messages"stream.

Create a rule like yours and started the stream Test

Seconds later I received messages in stream Test from input Security Devices.

I went to my “Test” stream to show all mesages.

image1787×542 27.4 KB

Only idea I have for this issue is adjusting the search time and perhaps make it greater then 5 minutes.
Hope that helps

Thank you for taking the time to test. I have some more details from my end as well which might indicate that I am just missing something.

As mentioned, with the way I have things set up currently, When I go to the stream where the device logs should be showing up, I see nothing.

I also get an error if I click to Load a Message to test rules.

But If then manually search for matches to the source field within the stream events are populated.

So it seems like the events ARE in fact being sent to the stream but are invisible until I manually search for items?

image1031×672 61.8 KB

Is this expected behavior? In my other streams content appears without me needing to set up a search query first.

Thanks Again.

Not that I know of, It took me 3 minutes to test your issue which I found none.
So, its not clear how your configuration are.

Out of curiosity, when you execute a manual search (from your picture you posted above) can you open one of the logs and show the left side?
What I’m wanted to see it this

Here you go:

image1057×930 57.7 KB

Thanks again for all your help. Is there a debug report or anything like that I could submit which might help?

When you click on the link “FreeNAS-ProJobACCESS” (shown in the red box) can you see the same message as shown below?

image774×488 22.8 KB

EDIT:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.